Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-mswx8adg98
Target 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118
SHA256 3b9a638cd3fe3315d7aa86d50f41647c0d33f05893d8d3f67ed360cefb670e86
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b9a638cd3fe3315d7aa86d50f41647c0d33f05893d8d3f67ed360cefb670e86

Threat Level: Known bad

The file 45cb60ae113dec6e981c4de731eeec82_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Windows security modification

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:44

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:44

Reported

2024-05-15 10:46

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wbqgyfke = "rawzmsvtwq.exe" C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfmzukdg = "omupujwxtivgfok.exe" C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jlttdjmydcbbv.exe" C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sznufzsr.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omupujwxtivgfok.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\omupujwxtivgfok.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sznufzsr.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jlttdjmydcbbv.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File created C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sznufzsr.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jlttdjmydcbbv.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\sznufzsr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFAB9FE13F29984753B4B819C3E99B38B02FD4215033EE1C842EF08A1" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C799D5582556A3177D377202DDA7CF265D8" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF8B4F5F826E913CD72D7DE7BCE4E136594467456345D6E9" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\rawzmsvtwq.exe
PID 2060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\rawzmsvtwq.exe
PID 2060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\rawzmsvtwq.exe
PID 2060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\rawzmsvtwq.exe
PID 2060 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\omupujwxtivgfok.exe
PID 2060 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\omupujwxtivgfok.exe
PID 2060 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\omupujwxtivgfok.exe
PID 2060 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\omupujwxtivgfok.exe
PID 2060 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2060 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2060 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2060 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2060 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\jlttdjmydcbbv.exe
PID 2060 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\jlttdjmydcbbv.exe
PID 2060 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\jlttdjmydcbbv.exe
PID 2060 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\jlttdjmydcbbv.exe
PID 2132 wrote to memory of 2564 N/A C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2132 wrote to memory of 2564 N/A C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2132 wrote to memory of 2564 N/A C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2132 wrote to memory of 2564 N/A C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 2060 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2060 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2060 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2060 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2584 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2584 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2584 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2584 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe"

C:\Windows\SysWOW64\rawzmsvtwq.exe

rawzmsvtwq.exe

C:\Windows\SysWOW64\omupujwxtivgfok.exe

omupujwxtivgfok.exe

C:\Windows\SysWOW64\sznufzsr.exe

sznufzsr.exe

C:\Windows\SysWOW64\jlttdjmydcbbv.exe

jlttdjmydcbbv.exe

C:\Windows\SysWOW64\sznufzsr.exe

C:\Windows\system32\sznufzsr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2060-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\omupujwxtivgfok.exe

MD5 db26e0d6f05c046c319ce16d45f1e6a5
SHA1 fb035daa8a1d8b941e19c4092671fca2eaf5e316
SHA256 98dd67a228f1615723c69ee3a499e32ec35c1ae87105daf5dd6f1da6b776b7d8
SHA512 b1df8e6b5998215474b473b349f53fc19ace83ab92289cb5483bbbe147f0b4126c2fe7c84c859a9d7c071eecb3dc8f6c4e82a743afc02edb4fd9bc1daa51af93

\Windows\SysWOW64\rawzmsvtwq.exe

MD5 aa04d7069a86e719a79a8bd27f5aa364
SHA1 ffbc4dc8a4dfe0f4a6276f4e93a60d4479d2dd27
SHA256 fc8a6f0b012f066d6819e947dfacd43d799eab1614c9e5780755522aa945c66e
SHA512 7d61097a75c33a26f90691a80958d0f6ec6609b276ec2f762a4698e1d293dd49582e56b4f0be1990ba78f202dfa4faebe6277c980a5fa4859cc9575723410aad

\Windows\SysWOW64\sznufzsr.exe

MD5 4a822b533c807eba42eafcbf79383565
SHA1 0a765f2c290a2077ae9f2870fe5d3dfd4c0392ee
SHA256 a90b57804548ac070247f04d4cffe222487d28d4e6e49df7358e5ebb52e2645c
SHA512 068d756050946e3e3fdf4a4e44ec652a85429a405c267ecb075b1c3601e65ef3c9e7e1f1bf8251e1e11a2933021f0a855c271e71c3daa0152ef381d6dcf458ba

\Windows\SysWOW64\jlttdjmydcbbv.exe

MD5 a7983ed0cc36b67717ed0f7c43900f89
SHA1 fb9d959f6d5614cc6a9f6a07ff111362c04fc3d0
SHA256 40635b905afd88fb8762f76794c3517ce3fab0251cd8995e8c5996efdf4613cb
SHA512 05a15af7d5ef38f52981970e70dadc9c37a440d3d6084e5f5fb091d2de225786ff74b243d491fbd44de309aa85e9301b0aa474221545eac964fd69a773c8c34a

memory/2584-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 dd776bb7ce50084504e777295215ee7e
SHA1 71a94593f4e62ea40a880877377a68e8c6a67d5f
SHA256 dade16dfc07fa446eca15837b51b2d282cb3234c409753612de7101e1201184c
SHA512 f05137777c35fb87887e018fdb4bae1ff5026332e85b72d975e5fa3a5bb193000bfce5bb99d7da13879f8ca0b4962a544530b7d95366fe740b0d3ccc8e632763

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 0820c40e887801700a3b8a9e7f7ee80a
SHA1 9d89a4cbeaebc8e73ac4c21edbde85f1d8910f45
SHA256 2b31beab00c29d486aaf3a4e2a6206fdbf038603ed348c501ca8ce949597dbf8
SHA512 7bf7b1a10df90d64ea4b62bccd5d791284129da23b24235e3cf5aff9d5eae0bb4cbf4dcd78b230b742b3988a3539ceee44f7ceb05a6666e1545ceb1cdb964a12

memory/2584-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:44

Reported

2024-05-15 10:46

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbqgyfke = "rawzmsvtwq.exe" C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfmzukdg = "omupujwxtivgfok.exe" C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jlttdjmydcbbv.exe" C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sznufzsr.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sznufzsr.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created C:\Windows\SysWOW64\omupujwxtivgfok.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\omupujwxtivgfok.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sznufzsr.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jlttdjmydcbbv.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jlttdjmydcbbv.exe C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sznufzsr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sznufzsr.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02047E0389853C8B9A733EFD4C4" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C799D5582556A3177D377202DDA7CF265D8" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF8B4F5F826E913CD72D7DE7BCE4E136594467456345D6E9" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFAB9FE13F29984753B4B819C3E99B38B02FD4215033EE1C842EF08A1" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB7FF1C21DFD179D0A88A0B9116" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60C1594DBB1B9C17C94EDE534CE" C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\rawzmsvtwq.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\rawzmsvtwq.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jlttdjmydcbbv.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\omupujwxtivgfok.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A
N/A N/A C:\Windows\SysWOW64\sznufzsr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\rawzmsvtwq.exe
PID 3008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\rawzmsvtwq.exe
PID 3008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\rawzmsvtwq.exe
PID 3008 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\omupujwxtivgfok.exe
PID 3008 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\omupujwxtivgfok.exe
PID 3008 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\omupujwxtivgfok.exe
PID 3008 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 3008 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 3008 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 3008 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\jlttdjmydcbbv.exe
PID 3008 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\jlttdjmydcbbv.exe
PID 3008 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Windows\SysWOW64\jlttdjmydcbbv.exe
PID 3008 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3008 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1148 wrote to memory of 4216 N/A C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 1148 wrote to memory of 4216 N/A C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Windows\SysWOW64\sznufzsr.exe
PID 1148 wrote to memory of 4216 N/A C:\Windows\SysWOW64\rawzmsvtwq.exe C:\Windows\SysWOW64\sznufzsr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\45cb60ae113dec6e981c4de731eeec82_JaffaCakes118.exe"

C:\Windows\SysWOW64\rawzmsvtwq.exe

rawzmsvtwq.exe

C:\Windows\SysWOW64\omupujwxtivgfok.exe

omupujwxtivgfok.exe

C:\Windows\SysWOW64\sznufzsr.exe

sznufzsr.exe

C:\Windows\SysWOW64\jlttdjmydcbbv.exe

jlttdjmydcbbv.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\sznufzsr.exe

C:\Windows\system32\sznufzsr.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4528,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.209:443 www.bing.com tcp
US 8.8.8.8:53 209.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 2.17.196.82:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
NL 104.110.191.169:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 82.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 169.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp

Files

memory/3008-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\omupujwxtivgfok.exe

MD5 c615864d1de1cd331e47a140e48caccb
SHA1 c5ac28ee2da82b160038e1ef30a920582e68093b
SHA256 70a0cd112c643ad769d2040d2dd02b12d7c75662884e8a0a19d10c701c8cc382
SHA512 4be4fe93f3f9b947f3da9ffedb208f09a0dbc7b1a8c81bd3a2f007dbd352df761fd83679cbf83bd3f831d4cdd8c300b7ff0694d0e2bbbc8ee67fcb017c6aee4d

C:\Windows\SysWOW64\rawzmsvtwq.exe

MD5 44e31b5dbc33164b2da85965dd92d5c5
SHA1 ae0c61d30132eabc2ba76fe8d914b2deeb9ecd04
SHA256 77da1c7c77bc3d927deb8bd33a78e13342b481d1a31d140b3bfdad17567fc252
SHA512 a87aa65d56a7dee728ae5dfd0f38b129151287f4ab10c5dddb6fddfaa17d7d7880c880499593d6bb1bf3e385ae36b0851a8f217c54b4de1221cf55e2d99b95e5

C:\Windows\SysWOW64\sznufzsr.exe

MD5 ed0b8a39e3006469e96c6d6d97559456
SHA1 50ae67f9b459e1a307f100ec3ea833939d70e323
SHA256 ed8b3672479f9087e0140e87060bed7c96f613c5e1361d6b96cbf4b4ead312bf
SHA512 8de4deb367be443f90fb28e90655d2e57c21fe240158ab11579bd7f9486a11586a2053ca5079168683684ee22f5af360a39d41a44045e10fc94dd531627a8bc1

C:\Windows\SysWOW64\jlttdjmydcbbv.exe

MD5 937ad5132ab0abd15fb6d4625331d087
SHA1 dae1834a9072ee11d3e3e5e6bdd14f7df9d0af2c
SHA256 e8632c44302e15efac3ae8a0a681e55e03cb5299e027dbb75b613fbd94e5d8dc
SHA512 70785a576985708fd75f7accbf99e1b9cd3480ed31c57daacc4dd80f51619210767c2c3130d511540cb602432e1cf993b7565c7742fa5462f772c3816480b13a

memory/2340-35-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-37-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-36-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-38-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-39-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-40-0x00007FF88A650000-0x00007FF88A660000-memory.dmp

memory/2340-42-0x00007FF88A650000-0x00007FF88A660000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 a2953ca79a48241ea51c91d2203f9285
SHA1 eaa174c618c7d9f2e51920bbbe35c90b8fb97479
SHA256 b391180687fc329affb430879f3fa9f99c90ee66ab355bcee33b95faface9182
SHA512 dcfe0b5d67cba0a8a61b966ed8426675acbde7dab60fb46935475cbb60ce64af126d5bf061217bde2cbe0faf29ef0e4475fce2734225585f37a462ceeb45a8b4

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 a2ad8554c5bed28da35ec6a7b482e264
SHA1 2b6bee2933e7042fdb3342188ff0fc6e14b3ea03
SHA256 b8d4dc2846ecf45a958040c990e755c5389c100cdfefb5497e2ea80971f0d735
SHA512 3cb6499a145f0f1e253d4adaa5e9a98617a13a2e69fd16cb0f093f50cd68643000d17edf8f89491ca222bf68132cba266d1d5df6fded9b72e8cb6ae29e7ebb1d

C:\Users\Admin\AppData\Roaming\DismountSave.doc.exe

MD5 b694f3af6cc1ec274f52fb2f2afaedc5
SHA1 5938bbece4fa2371ccca34cf6dd96e6e4762ff26
SHA256 b11afd8a4001d418bed5194c3b11b46a54a50bcc5fd5f2dc113dbec8586f4e1f
SHA512 6bec954ce0ad90337d78987973db277895e08c963615b54b9345a69c2879571f78a63554c72cdf023395c0cde8292a1ec0c95a73a375e9fe37eb96a30b9b6111

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 807fe1ad3034b097665c7762ee3fc990
SHA1 03ac4f5113d08aa937c1812a5f175a775be06082
SHA256 0926440ac5936237c3dfb694ffac6df3721139cb0dbd7ef975de9f74c163649d
SHA512 59ef5489e7b4312a4a5edf588d28f7892df53ebaa37e882d8c6d22bf0553071525440ec69aedf870c9d97e04bbd51abc2621a4d6caf311829072564cb2306184

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e2c92e1d1c0723a2b12182fc767ad83a
SHA1 cc64ba8d0ce928c30fca8f26b3a53cc58be2b74a
SHA256 cba20859eaa511e42e5a608b8ea549b0cff95421e3b8b3d02e8e82a8b8a22bdd
SHA512 1f47aac5a4ba9b7dd1a1ef2da1661c7db751f2cda76f71151c87a8ac0365687d7080be01d1dd4be56c57834b83aaba5a9a2646194500094e8035f4a174e610df

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 fa293e5dc1c1508e237aa85f01d3aff4
SHA1 967c4e7152e1049874de207b79908b44f73d96d3
SHA256 90b2ae0ddf61895119504ee009151bc8a061b004fa56a92d2ee00bf6c3d4c057
SHA512 697acb8479bd32b72b3972dae6127802fe6e3ddaab7a26c54f4228f5f11e7a7f65f642c5bc041fea12a6cbebadf1457a9084e4718bd54857c49ee22edb361d1a

C:\Users\Admin\AppData\Local\Temp\TCD27DB.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 73f696968c7a219c1dcbcaa8062d0636
SHA1 d682742b6db50f9a870848a8dc8a1d69735b5fb7
SHA256 00b9d736edfe8a25da454d34aa272c63b03b8e2ee68e71c5451596e6194a534f
SHA512 4626b28a4189efd6326ff69be67d39c101f8b3b4c4563d29b726c4cbea5a7d3bfc25ae47710a13a83e1f0a7ce0c50132fc0e7a124f098418d827666c45f51d84

memory/2340-605-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-606-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-604-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp

memory/2340-607-0x00007FF88CFB0000-0x00007FF88CFC0000-memory.dmp